.................

Advanced search
IBM home | Products & services | Support & downloads | My account

IBM developerWorks : Security : Security articles

Hacking techniques

Introduction to password cracking Contents:

Attackers: how and why
Rob Shimonski (rshimonski@rsnetworks.net)
they attack
Lead Network and Security Engineer
July 2002 Methods of attack
Password and user account exploitation is one of largest issues in Tools of the trade
network security. In this article Rob Shimonski will look at password
Internal attacks
cracking: the how and why of it. Rob will explain just how easy it is
to penetrate a network, how attackers get in, the tools they use, and Example: The disgruntled
ways to combat it. employee
Attacks on a company or organization's computer systems take many Example: The help desk
different forms, such as spoofing, smurfing, and other types of Denial of technician
Service (DoS) attacks. These attacks are designed to harm or interrupt the
External attacks
use of your operational systems. This article deals with a single wide-spread
form of attack known as password cracking. Example: Web site home
page defacing
Password cracking is a term used to describe the penetration of a network,
system, or resource with or without the use of tools to unlock a resource that A protection check list
has been secured with a password. In this article I will take a look at what Summary
password cracking is, why attackers do it, how they achieve their goals, and
what you can do to do to protect yourself. I will briefly take a look at the Resources
attackers themselves: their psychological makeup and their motives. About the author
Through an examination of several scenarios, I will describe some of the
techniques they deploy and the tools that aid them in their assaults, and how Rate this article
password crackers work both internally and externally to violate a
company's infrastructure. Finally, the article provides a checklist to help Related content:
protect you from password cracking. Lifting the covers:
Analyzing selected network
Before exploring the methods for doing this, let's first peer into the mind of
attacks
the attacker and learn why they might want access to your network and
systems. Protecting Passwords:
authenticating users
Attackers: how and why they attack
There is an on-going debate about the definition of the word hacker. A Subscribe to the
hacker can be anyone with a deep interest in computer-based technology; it developerWorks newsletter
does not necessarily define someone who wants to do harm. The term More dW Security
attacker can be used to describe a malicious hacker. Another term for an
resources
attacker is a black hat. Security analysts are often called white hats, and
white-hat analysis is the use of hacking for defensive purposes.
Attackers' motivations vary greatly. Some of the most notorious hackers are high school kids in their
basements planted in front of their computers looking for ways to exploit computer systems. Other
attackers are disgruntled employees seeking revenge on a company. And still other attacks are motivated
by the sheer challenge of penetrating a well-secured system.
Methods of attack
Password cracking doesn't always involve sophisticated tools. It can be as simple as finding a sticky note
with the password written on it stuck right to the monitor or hidden under a keyboard. Another crude
technique is known as "dumpster diving," which basically involves an attacker going through your garbage
to find discarded documentation that may contain passwords.
Of course attacks can involve far greater levels of sophistication. Here are some of the more common
techniques used in password cracking:
● Dictionary attack
A simple dictionary attack is by far the fastest way to break into a machine. A dictionary file (a text
file full of dictionary words) is loaded into a cracking application (such as L0phtCrack), which is
run against user accounts located by the application. Because the majority of passwords are often
simplistic, running a dictionary attack is often sufficient to to the job.
● Hybrid attack
Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers or
symbols to the filename to successfully crack a password. Many people change their passwords by
simply adding a number to the end of their current password. The pattern usually takes this form:
first month password is "cat"; second month password is "cat1"; third month password is "cat2"; and
so on.
● Brute force attack
A brute force attack is the most comprehensive form of attack, though it may often take a long time
to work depending on the complexity of the password. Some brute force attacks can take a week
depending on the complexity of the password. L0phtcrack can also be used in a brute force attack.
Next, take a look at some of the tools attackers use to break into a system.
Tools of the trade
One of the most popular tools is L0phtCrack (now called LC4). L0phtCrack is a tool that allows an
attacker to take encrypted Windows NT/2000 passwords and convert them to plaintext. NT/2000
passwords are in cryptographic hashes and cannot be read without a tool like L0phtCrack. It works by
attempting every alphanumeric combination possible to try to crack passwords.
Another commonly-used tool is a protocol analyzer (better known as a network sniffer, such as Sniffer Pro
or Etherpeek), which is capable of capturing every piece of data on the network segment to which it is
attached. When such a tool is running in promiscuous mode, it can "sniff" everything going around on that
segment such as logins and data transfers. As you'll see later, this can seriously damage network security
allowing attackers to capture passwords and sensitive data.
Let's take a look at a few scenarios and examine how attackers launch their attacks and how they might be
stopped or prevented. I'll first describe a couple of scenarios involving internal attacks (that is, attacks that
originate within an organization), and then take a look at a couple of scenarios involving external attacks.
Internal attacks
Internal attackers are the most common sources of cracking attacks because attackers have direct access to
an organization's systems. The first scenario looks at a situation in which a disgruntled employee is the
attacker. The attacker, a veteran systems administrator, has a problem with her job and takes it out on the
systems she is trusted to administer, manage, and protect.
Example: The disgruntled employee
Jane Smith, a veteran system administrator with impeccable technical credentials, has been hired by your
company to run the backup tapes during the late evenings. Your company, an ISP, has a very large data
center with roughly 4000+ systems all monitored by a Network Operations Center. Jane works with two
other technicians to monitor the overnight backups and rotate the tapes before the morning shift comes in.
They all work independently of each other: one technician works on the UNIX Servers, one technician
covers the Novell Servers, and Jane has been hired to work on the Windows 2000 Servers.
Jane has been working on the job for six months now and is a rising star. She comes in early, stays late and
has asked to transfer to another department within the company. One problem: there are no open positions
at the time. During the last month you (security analyst) have noticed a dramatic increase in the number of
attempts at Cisco router and UNIX Server logins. You have CiscoSecure ACS implemented so you can
audit the attempts and you see that most of them occur at 3 a.m.
Your suspicions are aroused, but as a security analyst, you can't go around pointing fingers without proof.
A good security analyst starts by looking deeper into the situation. You note that the attacks are from
someone of high caliber and occur during Jane's shift, right after she is done with her tape rotation
assignment and usually has an extra hour to study or read before the day operations team comes in. So you
decide to have Jane supervised at night by the night operations manager. After three weeks of heavy
supervision, you notice that the attacks have stopped. You were right. Jane was attempting to log into the
Cisco routers and UNIX servers.
A good security analyst also needs to employ a good auditing tool, such as Tacacs+, to log attacks.
Tacacs+ is a protocol used by applications such as CiscoSecure ACS that will force Authorization,
Accountability, and Authentication (AAA for short). If you have Authorization, then the person requesting
access needs to be authorized to access the system. If you have Authentication, then the user accessing a
resource needs to be authenticated with rights and permissions to have access. What happens when you are
authorized and also authenticated? You must be held Accountable. Accounting logs alone solve many
password cracking problems by forcing an attacker to be held accountable, authenticated and authorized.
Next, I'll give an example of an old (but still widely used) attack, which involves sniffing passwords right
off the network. You can see how a network supervisor had his Cisco routers and switches cracked by a
help desk technician within the company.
Example: The help desk technician
Tommy is hired for the position of help desk technician to work with the after hours help desk crew. The
after hours help desk staff is made up of roughly 10 technicians who provide coverage for eight remote
sites that the company needs to support during off hours. Tommy always brings his laptop with him to
work. When questioned about the laptop by his manager, Tommy explains that he is using his break time
to prepare for a certification test. This seems harmless and is approved, even though there is a
company-wide security policy in place about bringing machines from the outside into the corporate
network without corporate security looking the device over.
Tommy is eventually caught by a surveillance camera leaving a small wiring closet with something under
his arm. But since nothing is reported missing, there is no way to prove that Tommy has done anything
wrong. And when questioned by the help desk manager about why he was in the closet, Tommy says that
he mistakenly entered it thinking it was a break room.
The company's security manager, Erika, sees the report filed by the guards responsible for the physical
security of the building. She wonders what Tommy was doing in that closet and is not satisfied with the
answer he gave to the help desk manager. Upon searching the closet, she finds an unplugged patch cable
hanging from one of the patch panels and an empty hub port. When she plugs the cable back in, the link
light does not come back on suggesting that this is a dead port. Cable management Velcro straps neatly
hold all the other cables together. With Erika's years of experience and keen sense of security exploitation,
she knows exactly what happened.
Erika assumes that Tommy has brought his laptop in the wiring closet unseen. He most likely looked for a
dead port on the hub and plugged his laptop in with a packet sniffer installed on it, which promiscuously
picks up traffic on a network segment. He returns later to pick up the laptop, which is caught on the
surveillance camera, to take home for analysis after saving the capture file.
Using the company's security policy, she confronts Tommy and explains that all personal property, such as
laptops and palm pilots, are subject to search if on the premises illegally. Since Tommy never should have
had his laptop there in the first place, he hands it over to Erika. Upon careful examination, Erika finds the
following trace decode as seen in Figure 1.
Figure 1. Captured telnet traffic with a protocol analyzer

A close examination of the Hex pane of the Sniffer Pro analyzer in Figure 2 reveals ASCII data in clear
view on the right side of the pane. While attached to a switch in the closet, Tommy ran the configuration
while connected via a telnet session. Since the telnet protocol is unsecure and sent via cleartext, it is easy
to see the password: "cisco."
Figure 2. ASCII decode of plaintext data

This is one of the most basic principles of security: Never use a product name as a password. But in spite
of how basic a principle it is, it's remarkable how often it is still done.
Next, turn your attention to some external threats.
External attacks
External attackers are those who must traverse your "defense in depth" to try and break into your systems.
They don't have it as easy as internal attackers. The first scenario involves a fairly common form of
external attack known as Web site defacing. This attack uses password cracking to penetrate the systems
that the attacker wants to deface. Another possible password cracking attack is when an attacker tries to
obtain passwords via Social Engineering. Social Engineering is the tricking of an unsuspecting
administrator into giving the account ID and passwords over to an attacker. Lets take a look at both.
Example: Web site home page defacing
Figure 3 demonstrates a fairly common and simple example of external password cracking: defacing a
Web site's home page. It takes little effort and is usually accomplished by simply exploiting an Internet
Information Server (IIS) that has its permissions set incorrectly. The attacker simply goes to a workstation
and tries to attack the IIS server with an HTML editing tool. When trying to attach over the Internet to the
site, the attacker uses a password generator tool, such as L0phtCrack, which launches a brute force attack
against the server.
Figure 3. Home page replaced by an attacker
Your company's reputation is on the line. Business vendors and associates will lose faith in you if they
perceive that your data is kept on unsecured servers. Make sure you look at inside and outside threats
equally.
Example: Social engineering tricks
Non-tool related tricks to crack passwords are called social engineering attacks. Read this a scenario to
learn more.
Jon is the new security analyst for a large company. His first job is to test his company's security stance.
He of course lets management know what he is about to do (so he doesn't get labeled as an attacker
himself). He wants to see how hard it is to crack into the network without even touching a single tool. He
tries two separate but equally devastating attacks.
As a new employee in a large organization, John isn't known to many people yet, which makes it easy for
him to pull off his first social engineering attack. His first target is the help desk. Jon makes a routine call
to the help desk and asks for a password reset as a supposed remote user. Jon already has half the
information he needs since he knows that the company's naming convention is simply first name and the
first initial of the user's last name. The CIO's name is Jeff and his last name is Ronald, so JeffR is his
login ID. This information is readily available from the company's phone directory. Masquerading as the
CIO, Jon calls the help desk and asks for a password reset because he has forgotten his password. This is a
normal ritual for the help desk technician who resets forgotten passwords 100 times a day and calls the
requestor back letting them know what their knew password is. The help desk technician calls Jon back
five minutes later and lets him know that his new password is "friday" because it happens to be Friday.
Within another 5 minutes, Jon is in the CIO's shared files on the server and in his e-mail.
Jon's next social engineering attack involves a good friend of his who works for the local telephone
company. Jon borrows some of his gear and his belt and badge on his friend's day off. Jon takes his new
gear and heads to another part of the organizations campus where all the disaster recovery routers and
servers are located. This hardware contains a working copy of all the company's current data and is
considered confidential. Jon walks into the campus security office in his Telco costume and explains that
he has been called out by the Local Exchange Carrier (LEC) because a circuit appears to be looped from
the Telco. He needs to be let into the data center so he can check out if there are any alarms on the Smart
Jack.
The onsite administrator escorts Jon to the data center not even checking his ID. Once inside, the
administrator wisely sticks around, so Jon starts his test. After a few minutes, Jon informs the
administrator that he will have to call his office and have them run some more tests so he can loop off the
Smart Jack and try to troubleshoot. Jon lets the administrator know that this will take about 45 minutes, so
the administrator gives Jon his pager number and asks that he page him when he is done to let him out. Jon
has now successfully eliminated the only obstacle between him and the 30 servers all lined up in racks
along the back wall of the data center.
Jon has a few different opportunities now. He can go to every server and start looking for unlocked
consoles, or he can plug his laptop into an open port and start sniffing. Since he really wants to see how far
he can go, he decides to look for open consoles. After five minutes of looking through all the KVM slots,
he finds a Windows NT server running as the Backup Domain Controller for the Domain. Jon pulls a CD
out of his bag and enters it into the CD tray of the server. He installs L0phtCrack onto a BDC for the
companies Domain and runs a dictionary attack. Within five minutes produces the following password:
Yankees. It turns out the lead administrator is a New York Yankees fan. He now has access to the
company's most vital information.
Now look at how this was done.
Figure 4. Using L0phtCrack to break the Administrator password
A protection check list
Here is a checklist of things you can do to make password cracking more difficult:
● Audit your organization! Do a walk through and make sure passwords are not stuck to monitors or
under keyboards.
● Set up dummy accounts. Get rid of the administrator (or admin) account or set it up as a trap and
audit it for attempts.
● Use strong, difficult to guess passwords, and never leave a console unlocked.

● Backups are necessary in case you are compromised. You need a working set of data, so make sure
you have it. Keep the tapes secure too, or the data there will be compromised as well.
● Prevent dumpster diving. Don't throw sensitive information away; shred it or lock it up.

● Check IDs and question people you don't know. When you have visitors, check them out and make
sure they belong.
● Educate your end users. Make sure they aren't prone to social engineering and educate and remind
internal users of the company's security policies.
Summary
In this article I've described some of the psychology behind an attacker's motivation and some of the
low-tech and high-tech methods used to crack passwords. You've looked at several attack scenarios,
including attacks against major companies by a veteran administrator, a help desk technician, and an
outside vandal. You also saw how password crackers use techniques both internally and externally to your
infrastructure. Finally, some ideas on how to properly secure yourself and your systems from the
possibility of a password cracking attack were offered. Combating these attacks ultimately requires a
conscious effort, trained individuals, useful tools, and sound security policies. Hopefully, as a proactive
security analyst, you can make a difference in helping to slow down this malicious activity within your
organizations as well as outside of them. Otherwise, you may find Jon in your server room with a smirk on
his face and your data in his hands.
Resources
● Read the developerWorks article Protecting Passwords: authenticating users, this article is a great
read to get your mind around how to protect your passwords in the first place.
 ● See also the developerWorks article Setting up a security policy, also a must read.
● The CERT Coordination Center is a center of Internet security expertise at the Software Engineering
Institute, a federally funded research and development center operated by Carnegie Mellon
University. They study Internet security vulnerabilities, handle computer security incidents, and
publish security alerts.
● Check out the following article available from the CERT organization on Protecting Yourself from
Password File Attacks.
● Password Cracking Activity discovered by the CERT organization can be researched at
http://www.cert.org/incident_notes/IN-98.03.html.
● Password cracking tools are available worldwide over the Internet. Check out
http://www.pwcrack.com for security and cracking resources available on the Internet.
● Sans.org is the leading source of Internet and Network security administration worldwide. You can
research many topics in their extensive library of information.
● General Security information can be found and researched on the Security Focus Web site.
● See also IBM Security Solutions site.
About the author
Robert J. Shimonski (Truesecure TICSA, Cisco CCDP, CCNP, Nortel NNCSS, Microsoft MCSE, MCP+I,
Novell Master CNE, CIP, CIBS, IWA CWP, Prosoft CIW, SANS GSEC, GCIH, CompTIA Server+,
Network+, Inet+, A+, e-Biz+, Symantec SPS and NAI Sniffer SCP) is a Lead Network and Security
Engineer for a leading manufacturer company. Robert's specialties include network infrastructure design
with the Cisco and Nortel product line, network security design and management with CiscoSecure and
PIX firewalls, network management and troubleshooting with CiscoWorks, CiscoSecure, Sniffer-based
technologies, and HPOV. Robert is the author of many security-related articles and published books,
including the upcoming Sniffer Network Optimization and Troubleshooting Handbook from Syngress
Media, Inc. You can contact Robert at rshimonski@rsnetworks.net.

What do you think of this article?

Killer! (5) Good stuff (4) So-so; not bad (3) Needs work (2) Lame! (1)

Comments?

Submit feedback

IBM developerWorks : Security : Security articles

About IBM | Privacy | Legal | Contact